U.S. NAVAL ACADEMY COMPUTER SCIENCE DEPARTMENT TECHNICAL REPORT Internet Protocol Version 6 (IPv6): Capabilities, Operational Concepts, and the Transition from IPv4 Domagalski, Joshua E. USNA-CS-TR-2008-01 August 27, 2008 USNA Computer Science Dept. ◦ 572M Holloway Rd Stop 9F ◦ Annapolis, MD 21403 U.S. NAVAL ACADEMY COMPUTER SCIENCE DEPARTMENT TECHNICAL REPORT Internet Protocol Version 6 (IPv6): Capabilities, Operational Concepts, and the Transition from IPv4 Domagalski, Joshua E December 6, 2007 Computer Science Department SI495A: Research Project Report Fall AY08 Internet Protocol Version 6 (IPv6): Capabilities, Operational Concepts, and the Transition from IPv4 by Midshipman Joshua Domagalski, 081812 United States Naval Academy Annapolis, MD _________________________ ________________ Date Certification of Faculty Mentor’s Approval Assistant Professor Patrick Vincent Department of Computer Science _________________________ ________________ Date Assistant Professor Thomas Augustine Department of Computer Science _________________________ ________________ Date Department Chair Endorsement Captain Thomas Logue Chair, Department of Computer Science _________________________ ________________ Date Executive Summary The research study, Internet Protocol Version 6 (IPv6): Capabilities, Operational Concepts, and the Transition from IPv4, was conducted at the United States Naval Academy (USNA) with the aim of developing, employing and testing an IPv6 network while learning about many important compatibility and operational issues an organization would encounter while migrating to this new protocol. Specifically, the study entailed participation in the primary phase of the Defense Information Systems Agency’s (DISA’s) IPv6 Pilot Network Project. This primary phase required setting up a fully functional IPv6 network at USNA that, in turn, connected to an IPv6 network at the United States Military Academy (USMA) via an IPv4/IPv6 Virtual Private Network tunnel. Although mandated by the Office of Management and Budget (OMB) to complete the critical conversion of IPv4 to IPv6 by 2008, the Department of Defense (DOD), recognizing the inherent security considerations, operational restrictions and resultant delays in conducting such a conversion, has sponsored the multi-phase US Service Academy IPv6 Pilot Network Project. By partaking in the pilot project, this research study facilitated the DOD-wide protocol conversion by making use of an IPv6 connection between USMA and USNA which afforded a secure testing and validation environment. In addition to the inter-academy IPv6 network connection mandated by the Pilot Network Project, the scope of this research study was threefold: 1) to review and validate the prior research study conducted by the MIDN Christopher B. Landis, USN, 2) to test and develop convergence techniques for the coexistence of IPv4/IPv6, and 3) to discover and analyze the ramifications that the transition to IPv6 would have on legacy systems. It is noteworthy that during the course of the study, our findings revealed a disagreement with a finding reached in the previous Landis study (as might be expected when performing research on a new and largely unexplored topic). In addition, we found that it is vital to understand the IPv6 addressing scheme as it provides the critical and fundamental underpinning to the many other changes made to the new protocol. By the conclusion of the study, we were able to create a fully functional IPv4/IPv6 network that connected to the USMA network via the tunnel. Although we attempted to create an IPv6-only network, we found that the use and integration of Microsoft’s Windows XP PRO SP2 and Windows Server 2003 SP1 necessitated the existence of IPv4 on the network for the provision of some network services. In addition, we noted that the potential for transitioning from IPv4 to IPv6 using Linux-based operating systems seems much more promising than utilizing Microsoft’s Windows XP. Our research provides recommendations for future participation and study in this crucial DOD project. 1. Introduction Security considerations, technical challenges, and operational requirements have hindered the Department of Defense (DoD) from investigating and testing Internet Protocol Version 6 (IPv6) on a large scale. In fact, DoD is seriously lagging behind current congressional and Office of Management and Budget (OMB) mandates to prepare for the transition from IPv4 (the protocol currently in use) to IPv6. In order to facilitate the conversion process, the Defense Information Systems Agency (DISA) sponsored a three-phase U.S. Service Academy IPv6 Pilot Network Project. This research study was intended to serve as an integral part of phase one of the DISA Pilot Network Project. This research entailed building, operating and maintaining a pilot IPv6 network between the United States Naval Academy and the United States Military Academy. This network was then used to provide validation and refutation of operational concepts developed for the transition from IPv4 to IPv6, to include investigations of network management, address allocation and Domain Name Services. This research also investigated the testing and development of protocol capabilities and communication, as well as transition techniques for migrating from the IPv4 protocol to IPv6. Although prevalently misunderstood as simply “IPv4 with a larger address space,” IPv6 represents an entirely new protocol incorporating 4 major changes: 1) IP addresses are expanded from 4 bytes to 16 bytes, 2) the format of the packet header is simplified to include only seven fields (from 13 in IPv4) thus making routing faster, 3) various provisions are incorporated to enhance Quality of Service (QoS) and 4) security is improved through authentication and privacy capabilities. Notwithstanding these four major changes, the new protocol should be backwards compatible with IPv4. Current DoD networks, operating under IPv4, remain vulnerable to limited address space, antiquated architecture, a difficulty in providing quality of service for voice and video applications, and critical security concerns. 2. DoD Internet Protocol Version 6 Generic Test Plan (DoD IPv6 GTP) and DISA In September 2006, in accordance with OMB mandates, the DoD established the goal of transitioning all DoD networks to Internet Protocol Version 6 (IPv6) by fiscal year 2008 [1]. Clearly, this target date will not be met. In order that this transition be eventually accomplished, DISA published the Department of Defense Internet Protocol Version 6 Generic Test Plan (GTP) which requires the testing, analyzing, and validating of commercial and government IPv6 implementation. Thus, in order for a product to be considered “IPv6 capable,” it must complete testing for performance and interoperability in accordance with the Generic Test Plan (GTP) as well as be in conformance with the various industry-wide standards that the Internet Engineering Task Force establishes in its Requests for Comments (RFCs) [1]. This DoD IPv6 GTP “specifies test criteria and procedures for IPv6 products involved in or connecting to the Global Information Grid” (DISA) [1]. The GTP divides the testing of IPv6 into nine main categories: Core IP Functionality, Routing and Switching, Transition Mechanism, Common Network Applications, Security and Information Assurance, Mobility, Quality of Service, Multicasting, and Network Operations and Management. As a subset to the overall DoD IPv6 GTP, the Defense Information Systems Agency sponsored the U.S. Service Academy IPv6 Pilot Network Project which aims at eventually connecting the five federal service academies—the United States Naval Academy (USNA), the United States Military Academy (USMA), the United States Air Force Academy (USAFA), the United States Merchant Marine Academy, and the United States Coast Guard Academy (USCGA)—together using an IPv6/IPv4 tunnel. This process of connecting the different academies was divided into phases: phase one, currently underway, entails the initial connection of USNA with USMA; phase two will involve the connection of USAFA to this network, and phase three will see the connection of USCGA and USMMA to this network. The primary purpose of this Pilot Network Project was fourfold: 1) to “provide validation or refutation of operational concepts developed for transition from IPv4 to IPv6, to include investigation into Information Assurance, Network Management, Multicasting, Domain Name Services, and standard Transport Control Protocol (TCP) services,” 2) to “develop common best practices for the utilization of IPv6,” 3) to “develop IPv6 as a protocol by experimenting with its inherent capabilities for mobility, flexibility, robotics control, and convergence of services,” and 4) to “provide training to the staff, faculty, and students in the next generation protocol to be used throughout the US Department of Defense” [2]. 3. Addressing The IPv6 protocol differs in many significant ways from IPv4; first and foremost in the addressing mechanism that is utilized. As addressing is a significant part of any form of communication, understanding the differences in IPv6 addressing involves not only the focus on the larger address space, but also the effects of addressing on routing algorithms as implemented in the next-generation protocol. IPv4’s 32-bit address offers, in theory, 4,294,967,296 unique addresses [3]. This seemed like a generous allowance of addresses when the Internet was first launched as a military and academic research project in the 1970’s. With the growing popularity of the Internet beginning in the early 1990’s, address exhaustion became a concern. Although Network Address Translation, Classless Inter-Domain Routing (CIDR), Dynamic Host Configuration Protocol and other short-term stopgaps have delayed the exhaustion of IPv4 address space, the fundamental problem remained unsolved while the solutions in some cases actually further complicated matters. Ergo, IPv6 provides a 128-bit long address, yielding 2128 (340,282,366,920,938,463,463,374,607,431,770,000,000) different unique IP addresses [4]. To shorten the notation used for the address and to simplify calculations, IPv6 addresses are represented in hexadecimal rather than decimal notation. This reduces the length of the address to 32 hexadecimal characters, divided by colons into 8 groups of 4 characters (16 bits) each. To further simplify the address notation, zeroes are handled in a special way. First, all leading zeroes are omitted from each group of four hexadecimal characters. Second, consecutive zeroes of any length can be omitted to further collapse the IPv6 address – two colons are used where this omission takes place. However, consecutive zeroes can only be omitted once to avoid ambiguity in reconstructing the full address. Thus, by following these notation rules, an IPv6, unicast global address, 2001:0000:0000:00A1:0000:0000:0000:1E2A, can also be written as 2001:0:0:A1::1E2A [4]. The IPv6 address architecture classifies addresses as one of three types: unicast, multicast, and anycast [5]. A unicast address is an address that identifies a single node. In other words, traffic sent to a unicast address will only be forwarded to a specific, single node. A multicast address, as the name implies, is an address that identifies a group of nodes (normally found on a given site). Traffic sent to a multicast address will be forwarded to each node within that group. Lastly, anycast is an address that identifies a group of nodes where any traffic forwarded to that anycast address will be forwarded to the nearest node within the group. Unicast addresses can be further divided into three types: link-local, site-local (sometimes referred to as “unique local”), and global [4]. All unicast addresses contain both a network prefix and an interface identifier: the network prefix denotes the link while the interface identifier denotes the exact node. Link-local addresses identify hosts on a single link (layer 2 domain). This address is normally used for neighbor discovery, automatic address configuration, or when routers are not present on the network. Linklocal addresses are assigned the address space FE80::/10 (where the familiar CIDR slash notation is carried over from IPv4, in this case indicating that all 128-bit link-local addresses will always begin with the 10 bits: 1111111010) [4]. Site-local addresses identify hosts on a single domain or site using the network prefix. Normally, a site-local scheme will be pushed on the site via a router. These addresses are also referred to as unique-local addresses (ULAs). Site-local addresses will be found in either the FC00::/7 or FD00::/8 address space (this is normally locally assigned). For both link-local and site-local addresses, routers will not forward any packets with these addresses as source or destination outside of the given site (similar to private addressing schemes in IPv4). In addition, the 8th bit of the address prefix facilitates the possible, future ability to identify an assignment policy [4]. Global unicast addresses (GUAs), however, are forwarded outside of the site or domain by routers as their purpose is to provide a unique unicast address available globally. These addresses can be identified by their high-level 3 bits being set to 001 (2000::/3) [6]. Of particular interest in the design of unicast addresses is the integration of the “interface identifier” which is unique for each host [4]. The interface identifier occupies the lower 64-bits of all unicast addresses and is related to the Media Access Control (MAC) address. In order to generate an IPv6 Interface Identifier from a MAC Address, several steps must occur. First, the 48-bit MAC address is taken and divided exactly in half. These two halves are then buffered with 16-bits (FFFE is inserted in between the two halves). The result is the EUI-64 (Extended Unique Identifier) representation [4]. After the EUI-64 identifier is obtained, the seventh bit of the 16 high-level bits is “flipped”. The result is the IPv6 Interface Identifier. The following provides an example of how this is done for one of the computers (named PANDORA) used in USNA’s lab: Pandora’s MAC Address: 00-08-74-39-90-d2 48-bits 64-bits 0008 0008 0 2 08 7439 MAC 90d2 74 FFFE 39 90d2 EUI-64 74 FFFE 39 90d2 IPv6 ID Pandora’s Link-Local Address: FE80::208:74FF:FE39:90D2 Figure 1 Because link-local and site-local addresses can, by their very nature, be reused, RFC 4007 employs the use of a “zone identifier” (also known as a “scope identifier”) [7]. As an example, PANDORA’s link-local address would be seen as the following: FE80::208:74FF:FE39:90D2%5. Here, the IPv6 prefix and interface identifiers are the same; but, in order to distinguish the scope, the %5 indicates the “zone”. The main purpose of having zone identifiers is to make a link-local address unique for a node that is connected to multiple links. However, this syntax presents a conflict with RFC 2396 in regards to Uniform Resource Identifier (URI) Generic Syntax [8]. Common examples of this conflict in syntax can be seen in the following example of a simple search query: Figure 2 According to RFC 2396, ‘%’ is reserved for the special purpose of encoding escape characters [8]. While generally not presenting difficulties as most METHOD=”GET” separates the URL from the appended search query forming the URI, the potential for conflict is not beyond the realm of possibility. In addition to the prefix and interface identifier segments of unicast addresses, Global and Subnet ID segments are also provided. Though originally meant to be implemented in a global aggregation scheme, the Global and Subnet IDs are now controlled by the Internet Assigned Numbers Authority (IANA) and the respective service provider (SP). The global prefix is 48 bits or shorter and is allocated to a service provider by IANA [9]. The subnet ID identifies the organizational structure of its network in respect to the service provider. Another important change in the IPv6 protocol is the replacement of broadcast addresses with multicast addresses. Basically, a multicast address identifies a group of interfaces so that a packet with a multicast destination address is sent to all those belonging to the multicast group. All IPv6 multicast addresses have their first 8 (high-order) bits set to 1 thus giving the address structure FF00::/8 [4]. After the first 8 bits, the next 4 bits act as a flag of which the three lower-order bits are currently used. The second flag bit, 10th bit from the beginning, indicates whether that multicast group address contains the unicast address of the RP (rendezvous point) [4]. The third flag bit, 11th bit from the beginning, indicates whether the multicast address is based on a unicast prefix or not. The fourth flag bit, 12th bit from the beginning, indicates whether it is permanently assigned or not. It is important to note, however, that if the third flag bit is set to 1 indicating that it is based on a unicast address, then by necessity the fourth flag bit must also be set to 1 indicating a nonpermanent address. This is due to the fact that because a unicast address has a limited lifetime, and the multicast address in this case is derived from the unicast address, the multicast address must also have a limited address [4]. The last change in IPv6 regarding address types is the anycast address. According to RFC 3513, an anycast address is a unicast address assigned to multiple machines and is routed to the nearest interface configured for it [5]. However, as anycast addresses are virtually indistinguishable from unicast addresses, a given node must be configured for the assignment of an anycast address to its interface. Because an anycast address is assigned to multiple machines, it cannot be used as the source address for a packet. Oftentimes, the anycast address is used in the replication of important network resources such as web servers, multicast RPs, and DNSs which can allow for the sharing of traffic loads [4]. In summary, IPv6 provides a new address scheme that was meant to address many of the problems and shortcomings of the IPv4 addressing scheme. Although the change in the addressing scheme is not necessarily the biggest change in IPv6, it is probably the most noticeable and necessarily created numerous implications on the research study that was conducted. 4. Research Study Primary in purpose to this research study was the establishment of a basic IPv6 network; therefore, fundamental to its inception were the use of basic and commonly used software and operating systems. Rather than immediately attempting to connect to the United States Military Academy or rush headlong into the implementation of a router under IPv6, we instead set up a simple three computer and one hub configuration as the most pragmatic foundation upon which to build. The OS chosen for this initial configuration was Windows XP SP2. A. IPv6 Compatibility with Windows XP SP2 Before beginning the installation and setup of an IPv6 network, IPv6 compatibility with Windows XP SP2 had to be confirmed. After some research, it was discovered that IPv6 is preinstalled as a package—though not set up—on Windows XP SP2 platforms. This is in stark contrast to Solaris 10, SUSE 10.1 and other Linux flavors which, by default, have IPv6 enabled. A user can setup up IPv6 on their machine, creating link-local addresses as described above, by using the “netsh” command-line utulity. The netsh tool also provides the ability to configure a router on a Windows XP system with forwarding and advertising enabled, to create static routes, and to assign site-local IPv6 addresses. To enable IPv6 on each computer, we used the command: netsh interface ipv6 install Then, for the machine named PANDORA, we used the command to initiate the sending of “Hello” packets: netsh interface ipv6 set interface “Local Area Connection” forwarding=enabled advertise=enabled This command caused PANDORA, while running Windows XP SP2, to advertise its address on the interface named “Local Area Connection.” At this point, our three machines (PANDORA, DAEDALUS and ICARUS), had the following link-local addresses auto-configured: PANDORA: FE80::208:74FF:FE39:90D2 DAEDALUS: FE80::208:74FF:FE39:90D4 ICARUS: FE80::208:74FF:FE39:9105 Note: At this point, the zone identifier (discussed in Section 3 above) was observed as “%5” and was attached to the end of the link-local addresses. The link-local addresses also empirically confirmed that IPv6 link-local addresses incorporate the MAC address of the machine into the Interface Identifier which comprises the last 64 bits of the link-local address. In an effort to determine whether or not the MAC address implementation for IPv6 was at the Data Link Layer (MAC sublayer) or whether the implementation was higher, MAC spoofing was conducted using T&R SoftNet Solutions’ MACSpoof to spoof the MAC address. The IPv6 link-local address change was successful. This proved that IPv6 uses the EUI-64 identifier derived from the 48-bit IEEE 802 address (RFC 2464) and that the implementation of the MAC address was on a higher layer than the Data Link Layer. B. Basic Connectivity After installing the IPv6 package on each of the three computers, they were connected via a 4-port hub as shown in Fig. 3. Pings (i.e., ICMP echo request/echo reply exchanges) were successfully sent between all of the computers using the IPv6 addresses. The IPv6 literature (such as it is) discusses the use of a command named ping6. We learned that “ping” is IPv6 compatible simply by context, and “ping6” is not needed. This is because the initial difference between ping and ping 6 was due to the syntactical difference between IPv4 and IPv6 addresses. However, as of Service Pack 2, Windows XP allows for the use of the normal “ping” command followed by the IPv6 address. Figure 3 But was this really IPv6? In order to test that the actual packets being sent consisted of IPv6 traffic, Wireshark was installed on the three computers. Wireshark is a protocol analyzer that allows the user to examine in detail the raw traffic being placed on a network. Additionally, Wireshark incorporates the filter “ipv6” to readily filter IPv6 traffic. Using Wireshark, we confirmed that IPv6 was indeed being used for neighbor advertisements, neighbor solicitations, and pings; this traffic was also marked as “ICMPv6” in the Wireshark display. To discover the network’s Maximum Transfer Unit (MTU), i.e., the maximumlength packet that could be sent without fragmentation, we pinged ICARUS using DAEDALUS, increasing the buffer size each time until reaching fragmentation. The result was 1452. Since the ICMPv6 header contains 6 bytes, and the IPv6 header contains 40 bytes, the maximum buffer size is 1500 bytes (1452 + 8 + 40), as expected, since Ethernet is the underlying link layer protocol. On a side note, we came to the lab and noticed all the machines were powered off. Upon powering on the machines and checking the physical setup, we began to ping the machines using their link-local addresses with the zone identifier that was attached on the preceding day. The result was “Destination Unreachable”. Upon further investigation, we used the command: netsh interface ipv6 show interface which outputs the local index for each given link-local IPv6 address. We learned that this zone identifier can be different each time the machine is powered-up as it is dynamically determined by the node on the link. If this zone identifier is not used in the ping command, or if an incorrect one is used, the user will receive an error “Destination Unreachable.” C. Telnet and FTP After establishing the initial setup, we decided to test basic services so that data communication and transfer (other than ICMPv6) could be empirically observed and validated. We first tested telnet terminal emulation services. After initial user/login setups and the opening of port 23 in the Windows Firewall, a successful telnet connection was achieved between DAEDALUS (FE80::208:74FF:FE39:90D4) and ICARUS (FE80::208:74FF:FE39:9105) using standard telnet commands. The connection was confirmed and referenced with IPv6 addresses using the netstat command. Our next goal was to test FTP (File Transport Protocol). This was initially unsuccessful. Upon investigation, we first considered that it must have been due to the Windows Firewall. After inspecting the settings and insuring that the correct port was enabled, we attempted setting up the FTP using a different port that would also be allowed by Windows Firewall. Unfortunately, the results were still negative. Due to the ensuing problems we faced with as basic a protocol as FTP, we researched Microsoft’s exciting whitepapers. However, we immediately saw a conflict in Microsoft’s own documentation. As can be seen below in Fig.4, one of Microsoft’s websites states that FTP is IPv6 supported. Figure 4 However, another Microsoft website, as seen below in Fig 5, notes that Microsoft’s Internet Information Services (IIS) version 6.0 is not fully IPv6 compatible. IIS provides Internet-based services for FTP, Simple Mail Transfer Protocol (SMTP), Network News Transfer Protocol (NNTP) and web. As can be seen from Fig 5, under IPv6 FTP, SMTP and NNTP are not supported. Figure 5 This created some confusion. Our test results revealed agreement with the statement in Figure 5, but disagreed with Figure 4. Another point of interest is the fact that the site that states FTP support under IPv6 is from the Windows XP Professional Product Documentation (the documentation for the operating system being used) as opposed to the Microsoft Windows Server 2003 TechCenter site (Fig 5). Still yet another point of conflict is the fact that Windows XP PRO SP2 utilizes IIS 6.0 for many of its internet and networking services. We finally determined that Microsoft’s TechNet information (Fig 5) was the most authoritative word on the matter of FTP/IPv6 compatibility. In addition, the EnableReverseDnsLookup property is not supported, thus not allowing for lookups determining the DNS name of a client computer. This is important because EnableReverseDnsLookup is used by IIS 6.0 to perform reverse DNS lookups for the name of the client computer. This is the primary reason FTP does not work natively on Windows XP using IPv6. Having determined that Microsoft’s innate FTP service was not IPv6 compliant, it remained to be determined: Is there an IPv6 FTP client/server program available anywhere? To determine whether FTP was feasible with IPv6, free, third-party software was installed and utilized (Xlight FTP). We loaded the XLight FTP virtual server on PANDORA. We then selected an option that allows "Dynamic IPv6" on well-known port 21, setting up user a username and password, we then created a remote admin account on Port 3333. FTP connection was successful from the command line; however, there were initial problematic issues. Upon attempting to initiate a file transfer using the command: ftp fe80::208:74ff:fe39:90d4%5 we could not execute the DIR command (we would receive “list filed/directory: FAILED”) and the FTP command line would state the following and then freeze: 150 Opening ASCII mode data connection for /bin/ls (x bytes) where x was the number of bytes. Fortunately, these issues were resolved after restarting the machines after installing XLight FTP. Once these initial problems were resolved, several files of differing lengths were sent, all with 100% success. This demonstrated that FTP is possible with IPv6, but that it is not natively compatible with Windows XP. D. Expanding the IPv6 Network After having tested the telnet and FTP on the Windows XP machines, we installed Sun Solaris 10 on three other machines and then connected them to a different hub. Of interest, there was no need to install or setup any IPv6 support on the Sun Solaris 10 machines as IPv6 is, by default, already setup. This hub was then connected to the other hub creating the network layout as shown in Fig 6. Figure 6 At this point, the lab was set up with the following link-local addresses: O O O O O O PANDORA -> FE80::208:74FF:FE39:90D2 DAEDALUS -> FE80::208:74FF:FE39:90D4 ICARUS -> FE80::208:74FF:FE39:9105 REMORA -> FE80::208:74FF:FE39:90D0 CHIMERA -> FE80::208:74FF:FE39:9100 KNOSSIS -> FE80::208:74FF:FE39:90EC After connecting the hubs, we began to successfully ping the Sun machines from the Windows machines. We then were able to successfully telnet between the Sun and Windows machines. In addition, File Transport Protocol is natively supported by Sun Solaris 10 when using IPv6. As we now had some of the basic services running for the network, we decided to install Windows Server 2003 SP1 Enterprise Edition on PANDORA in order to test FTP, DNS, DHCP, and Web Server services. Thus the network was designed as seen in Fig 7. Figure 7 Initially, we set up a File Server on PANDORA (which now has Windows Server); but due to the same problem of IIS 6.0 incompatibility with IPv6, the File Server was not functional using IPv6. For example, upon entering: ftp fe80::208:74ff:fe39:90d2%5 we received the error message ftp: connect :unknown error number At this point, our observation simply concurred with our previous conclusion about the incompatibility of IPv6 with IIS 6.0. E. Establishing a Domain Name Service (DNS) Server After testing and determing the incompatibility of IPv6 with the File Server on PANDORA, we determined to set up a Domain Name Service (DNS) server. However, due to the complexity involved, we decided to use Microsoft’s Step-by-Step Guide for Setting Up IPv6 in a Test Lab[10]. This publication initially suggests setting up a network with three segments utilizing two systems as routers. Because the machines in the lab had only one Ethernet port and one Network Interface Card (NIC), and in order to simplify the setup, only one segment was created. This configuration was also chosen as it most closely represented our current setup with the two hubs and six machines as shown in Fig 7. We quickly learned something very important: Microsoft’s guide does not create an IPv6-only network, but rather uses IPv4 for the DNS setup. Later, in fact, it was determined that Microsoft’s DNS on Windows Server 2003 does not support DNS solely using IPv6. Realizing that Microsoft was not quite ready for IPv6, we nevertheless, after following the guide, created a network with the following setup: o IP: 10.0.1.0/24 o IPv6 (site-local): 2001:DB8:0:1::/64 o Note: This was our first use of a unicast address that was not linklocal. o Each machine had the following IPv4 private addresses: o PANDORA -> 10.0.1.2/24 o DAEDALUS -> 10.0.1.3/24 o ICARUS -> 10.0.1.4/24 o REMORA -> 10.0.1.5/24 o Chimera -> 10.0.1.6/24 o KNOSSIS -> 10.0.1.7/24 o Each machine had their Gateway set to 10.0.1.1 After setting up the individual IP addresses, the following forward lookup zone was created: testlab.ipv6.com. This was possible because there was no DNS forwarding, and as there was no connection to the Internet, the use of this .com space is allowable. The DNS address was set up as FEC0:0:0:FFFF::1%1. This address was set as the DNS address for each system as it is one of three default IPv6 DNS addresses. For each computer the DNS suffix needed to be appended using the following commands: o Start->“Control Panel”->“Network and Internet Connections”>“Network Connections” o Right-click “Local Area Connection”->Properties->General>“Internet Protocol (TCP/IP)”->Properties->Advanced->DNS o Add testlab.ipv6.com to the list of DNS suffixes. In addition to appending the DNS suffixes, a static route was created in the following manner: o netsh interface ipv6 add route 2001:db8:0:1::/64 “Local Area Connection” publish=yes This command was necessary to create a static route and a site-local addressing scheme of 2001:db8:0:1::/64. As there were no other routers on the test network, there was no need to add a next hop to the static route. However, in the case of using one DNS over a tunnel or using multiple VLANs, one would most likely setup a static route with multiple hops. This setup provided the network with the site-local address scheme of 2001:DB8:0:1::/64. It is of importance to note that until this point, the use of link-local addresses is more than sufficient for the maintenance of a network. However, after implementing certain network services often considered crucial to modern day networks, the assignment of a site-local addressing scheme to the link is necessary. As was the situation with the link-local addresses, the EUI-64-based interface ID was again appended onto the end of the site-local address scheme giving, for example, PANDORA’s IPv6 address as 2001:0DB8:0000:0001:0203:74FF:FE39:90EC. After the network was setup, AAAA DNS records (IPv6 DNS records) were created for each host (the site-local address was used). As Sun Solaris 10 lacks much of a GUI for the assignment of gateways and a DNS, several files needed to be modified in the Sun Solaris 10 etc/ folder as follows: o Modified /etc/nsswitch.conf o It was modified for the IPv4 and IPv6 address being used in the setup. o Created /etc/resolv.conf: o search testlab.ipv6.com o domain testlab.ipv6.com o nameserver 10.0.1.2 o Modified /etc/inet/netmasks o Changed IPv4 address scheme to 10.0.1.0 255.255.255.0 o ifconfig elxl0 10.0.1.x netmask 255.255.255.0 up [where x denotes what machine this is being configured on] These commands allow for the configuration of the Sun Solaris 10 computers to use the Windows Server 2003 DNS and lookup names for IPv6 addresses. After setting up the DNS and creating the IPv6 DNS records for each host, we tested by pinging from each computer using the computer name rather than the computer’s site-local address. After the testing was successful, we decided to test a telnet session using the DNS host name which was again successful. However, nslookups were not feasible as a reverse lookup zone was not created. After creating a reverse lookup zone and inserting the DNS host name records for IPv6, nslookups on client computers were successful. Because DNS was functional and had tested successfully with IPv6, we decided to set up a Web Server on PANDORA. We created a webpage (“index.htm”) and made it available to the public in the permissions. After setting up the web server, we attempted to connect to the website using Mozilla Firefox. Firefox successfully connected to the web server if we followed the following format: http://[2001:DB8:0:1:208:74FF:FE39:90D2]/index.htm The reason for the brackets around the IPv6 address is to prevent a parsing of the IPv6 address and the misinterpretation of the colons as the port to which to connect. Firefox also successfully connected using DNS names and bypassing the IPv6 address with the following format: http://PANDORA/index.htm. Internet Explorer v6.0, however, is not IPv6 compatible. We attempted both the use of the IPv6 address in brackets as well as the use of the DNS name – both were unsuccessful. F. Extending the IPv6 Network to the US Military Academy Prior to connecting the network of computers to the United States Military Academy, we attempted to establish a clear IPv4 connection via the already established tunnel. An initial ping of 134.122.18.81 (the IPv4 address of USMA’s router) resulted in a 0% success rate as each ping timed out. Running a trace route, we found the following results: Tracing route to 134.240.18.81 over a maximum of 30 hops 1 < 1 ms 2 188 ms [192.190.228.1] 3 162 ms 4 159 ms 5 * 6 * <1 ms 164 ms <1 ms 155 ms gw.ialab.usna.edu [131.122.204.254] usna-rt9.swat.usna.edu 142 ms 147 ms 278 ms * 160 ms 162 ms 245 ms * 10.10.1.51 sdp1.usma.dren.net [138.18.9.49] cperouter.usma.dren.net [138.18.44.2] Request timed out. Trace complete. Figure 8 This represented either a firewall issue, a non-existent router, or an IP address change. As USMA had been undergoing an address migration, the possibility for a possible IP address conflict was possible. After contacting Mr. Erik Dean at USMA, it was determined that the lack of “reachability” was due to the router’s access control list (ACL) not responding to ICMPv4 packets. After discovering the inability to ping using ICMPv4 packets, we decided to test a connection using USMA’s IPv6 address (2001:1918:F100:1::1). This success rate, however, was 46% successful. After several re-attempts, the best success rate we could achieve was 60%. What we noticed was that every other packet was dropped by USMA. After contacting USMA, Mr. Dean replied with the following: “I did some poking around in our router, we had our IPv6 address assigned to an actual interface (one IPv6 address per interface) instead of using the Loopback 6 address as COL Beckman originally configured. This was leading to substantially less roundtrip ping times between us and you. I reconfigured our router so that the interface that you are connected to (via the tunnels) is now 'ipv6 unnumbered' and uses our 'Loopback 6' interface (which now has the addresses 2001:1918:f100:1::1/64 and fec0:1918:f100:1::1/64). If you ping the fec0 address you should see a very fast turnaround time, the 2001 address may take a bit longer as the traffic has to be routed, internally, by our router and then sent back.” Figure 9 After USMA reconfigured their router, we achieved 100% success rates when pinging USMA with their IPv6 address. At this point, we connected the network we had built to the CISCO 3600 router. After deleting the route 2001:DB8:0:1::/64, the network took the site-local scheme of 2001:1918:F101::/48, as per the setup of the 3600 router (it was given pre-configured by ITSD). After a short delay, all of the machines were “pingable” using the new site-local scheme, the web server still worked by the new site-local address, and telnet and FTP (under the conditions as mentioned above) worked. At this juncture, we had achieved the goal of the first phase of the DISA Pilot Network Project. Our network configuration can be seen in Figure 6. Figure 10 After we had achieved the goal of a network functioning via an IPv4/IPv6 tunnel with USMA, we decided to setup the DNS as strictly IPv6. However, this attempt failed, most likely due to static routing issues. This necessitated the creation of static routes for the CISCO 3600 router. Towards the end of the research study, we desired to be able to test the bandwidth and data transfer rates and times. This necessitated the ability to synchronize the clocks on the computers. In order to do this, we attempted to set up a Network Time Protocol (NTP) server on the network by which all machines would sync their clocks. However, the NTP service as provided by Windows is not IPv6 supported. Furthermore, Windows necessitates an Active Directory for the setup and maintenance of an NTP service. Because we were unable to synchronize the clocks on the machines, we were unable to test the data transfer and throughput of the network. 5. Results In this research study, we built a fully functioning network that implemented IPv6. We were also able to test and validate the use of common, mainstream operating systems such as Windows XP Professional SP2 and Sun Solaris 10. Through the creation of an IPv4/IPv6 network, we were able to implement a DNS service that worked for both forward and reverse lookups; allowing nslookups, pings, file transfers, and telnet services based on names rather than IPv6 addresses. After the creation of the network and the establishment of common network services, we were able to connect the network to an IPv4/IPv6 VPN tunnel; thus completing the primary phase of DISA’s Pilot Network Project. In addition, we were able to validate the address changes of IPv6 and were successful in the manipulation of those addresses to different address schemes. We determined that FTP as implemented by Microsoft’s IIS 6.0 is not IPv6 compatible. As this is predicated upon the incompatibility of EnableReverseDnsLookup with IPv6, many other services supported by IIS 6.0 are also incompatible: DHCP, Active Directory, SNMP, and NTP. However, DNS is compatible if the network is an IPv4/IPv6 network. In addition, our findings indicate that for the web server, Internet Explorer v6.0 is also not compatible with IPv6. 6. Recommendations In order to better facilitate the further testing of IPv6, especially in regard to QoS, DNS setups over VPN tunnels, file streaming, and throughput testing, it would be beneficial to conduct a research study inclusive of students at both Academies working together. This would allow for a more realistic interpretation of results, allocate work more effectively, and allow for the sharing of critical resources that one or the other location may lack. Furthermore, another recommended program enhancement would be the acquisition of network analyzing programs. An example of this type of program is Cisco’s NetFlow Analyzer, which is fundamental to Cisco’s testing of throughput and other network metrics. This could allow for a more effective measurement of the network that would not be dependent solely upon an NTP service or free, third-party software. Much within the realm of possible avenues for researching IPv6 is limited by the nature of the VPN connection with USMA on a two-port router. This fundamentally limited the ability to test connections with the actual nascent IPv6 Internet, the use of IPv6 NTPs on the Internet, and the testing of protocols more specific to the use of the Internet with regard to IPv6. If a router could be acquired with greater than two ports and implemented, it would then be possible to study an actual application of IPv6 to the IPv6 Internet. 7. Conclusion The goals we established from the onset of the research study were three fold: 1) review and validation of the previous “lessons learned” from the prior Landis study and various other research findings, 2) test and develop IPv4/IPv6 convergence techniques involving a fully-functioning IPv4 network, and 3) test and develop inter-protocol communication and transition techniques specifically including legacy systems. In addition, it was an underlying goal to partake in and accomplish the initial phase of DISA’s Pilot Network Project. Initially the conclusions of this study disagree with the findings in the Landis study which stated that “IPv6 is not a new protocol” [11]. Though it is perhaps true that the lengthy time for the implementation of the conversion project is more due to the fact that the creators and implementers want to solve problems associated with established architecture and not create new problems associated with new protocols, a cursory look at something as superficial as the addressing structure demonstrates a fundamental change in the protocol; something that indeed reflects something “new”. However, it is probably more credible that the reason for the slow conversion to IPv6 is more due to the wide standardization, implementation, and acceptance of the known IPv4 protocol. Obviously, this makes it difficult to implement the new IPv6 protocol where backwards compatibility is questionable at best. In an effort to test and develop IPv4/IPv6 convergence techniques, many of the common services expected of a network were used as a baseline for testing. Many of the services were, however, limited more by the use of common, mainstream operating systems such as Windows Server 2003. It has been documented, though not fully tested, that DNS BIND has been successful as an IPv6-only DNS. Other documentation has suggested the existence of NTP and SNMP services in an IPv6-only environment. These documents are important as they demonstrate the current viability for IPv6-only networks that provide the same services as common IPv4 networks. However, the current latest version of Windows Server limits the usability of many of the services to strictly an IPv4/IPv6 network. To be sure, while the eventual goal is that IPv6 replace IPv4, coexistence of the two protocols must be allowed as IPv4 will be around for long time yet. What the implementer must be cautious of is that applications, software, and operating systems do not become the limiting reagent for the process of change. As the research study has shown, Windows Server 2003 could be such a limiting reagent if relied upon. The third goal was not entirely met. This was largely due to the difficulties in setting up an IPv6 network with common, up-to-date systems. However, the fact that the implementation of IPv6 was difficult on today’s systems gives a hint at the possible difficulties in attempting to implement IPv6 on legacy systems. One area that shows promise, however, is the use and implementation of Linux and Unix-based operating systems. Many Linux and Unix based systems already have IPv6 enabled. Others have the capability, though it is disabled by default. Also, as Linux and Unix-based systems tend to be more easily updateable and patchable, the limit to these systems is more concentrated with the physical hardware than with the capability of the OS. Ergo, in conclusion, IPv6 is a new protocol that provides many fundamental changes to the widely standardized and implemented IPv4 protocol. As shown previously, the global need for addresses and a better protocol demands the implementation of IPv6. However, the implementation of this new protocol is limited largely by the software and systems widely used and the alacrity with which major software vendors pursue the ability to seamlessly implement IPv6 in a largely IPv4 world. Appendix A: Log 06SEP07: Installed IPv6 on computers running Windows XP Professional SP2. Used "netsh netsh interface ipv6 install". Connected the three computers to a four port hub. Set up computer (Windows XP) as router (IPv6). o netsh interface ipv6 set interface "Local Area Connection" forwarding=enabled advertise=enabled Successfully pinged each computer from each computer. Following Setup: 1. PANDORA -> fe80::208:74ff:fe39:90d2 2. DAEDALUS -> fe80::208:74ff:fe39:90d4 3. ICARUS -> fe80::208:74ff:fe39:9105 08SEP07: Installed Wireshark on all computers (computers running Windows XP Professional SP2): o Use filter: "ipv6" Attempted to setup FTP server - need XP Professional install discs. Attempted to setup telnet: o Faced user/login issues o Logged in once, telnet crashed (may be error in setting up) tested Buffer size of ICMPv6: 1452 10SEP07: "You have to have the connection from the wall plugged into Fastethernet 0/1. Do not change this connection it will not work. Thanks - B.Lucas & D. Christenson" 16SEP07: Linux (SUSE) computer could not login (contact Becker). Telnet works between DAEDALUS (fe80::208:74ff:fe39:90d4) and ICARUS (fe80::208:74ff:fe39:9105) o Connection achieved (had to add Port 23 to Windows Firewall exceptions) o Netstat confirmed connection with IPv6 address listed FTP (File Transport Protocol) o Connection problem on port 21 o Ran into issue when ftp host on port 23 (telnet port). After 60 seconds, connection closed by remote host. o Open port 2345 on both computer's firewall Still ran into connection issue ("ftp: connect :unknown error number"). Will load NetCat and NMap to further test connectivity between computers on IPv6 Network 18SEP07 Cannot ping or connect computers (all running Windows XP Professional SP2). Found computers turned off. Error: "Destination unreachable". Problem solved. XP uses a local index at the end of an IPv6 address. Must check upon star-up with the following command: "netsh interface ipv6 show interface" All computers pingable. Telnet works as well. 24SEP07 SUN Solaris not installed yet. Wit till then to set up IPv6 network on UNIX/LINUX machines. Attempted MAC spoofing to determine if it would change IPv6 link-local address. o Used T&R SoftNet Solutions MACSpoof to spoof MAC address. o IPv6 link-local address change successful o Implications: one can still spoof their IPv6 link-local IP address (or any address that uses their IPv6 Interface ID) by spoofing their MAC address. Installed IIS 6.0, enabled FTP o Attempted both Active as well as Passive FTP. o All attempts failed. o Message: ">ftp: connect :unknown error number" o o Modified and restarted Firewall settings o All attempts failed 26SEP07 SUN Solaris installed on computers Loaded XLight FTP virtual server on PANDORA o Selected "Dynamic IPv6" port 21 o User/Password: ********/******* o created remote admin account Port 3333 User/Password: ********/******* o FTP Connection: Connection successful DIR -> list filed/directory: FAILED FTP command line would state following and freeze: "150 Opening ASCII mode data connection for /bin/ls (x bytes)" where x = # of bytes Attempted Active: FAILED - see above Attempted Passive: FAILED - see above Attempted Binary: FAILED - see above Attempted ASCII: FAILED - see above Attempted "cd testmaterial": SUCCESS Attempted "get": FAILED Would create local file Failed to send/receive file data Attempted Remote Administration: SUCCESS Connection fully functional Connected DAEDALUS to PANDORA successfully o Due to 3rd Party FTP Failure, Installed Windows Server 2003 Edition 27SEP07 o o Set up File Server and File Transport Protocol server on Windows Server 2003, Enterprise Edition. Attempted to ping: SUCCESS - was able to ping other computers Attempted FTP: FAILURE - message: ">ftp: connect :unknown error number". Set up switches, connected Solaris computers to switch, connected all switches. All pings: SUCCESS! 30SEP07 o o o o Goals: 1. Ping USMA 2. FTP Windows 3. Set up CISCO 1811; if time, via linux Ping USMA COM1, 9600Bits/sec; Databits 8, Parity 1; flow Control Hardware Attempted to ping Army at following locations: 134.240.18.81 -> FAILURE 134.18.9.49 -> SUCCESS 134.8.44.2 -> SUCCESS Traceroute 134.240.18.81: 131.122.204.254 192.190.228.1 10.10.1.51 138.18.9.49 138.18.44.2 FTP Windows Started XLight FTP Server Connection from DAEDALUS: SUCCESS Directory listing ("dir"): SUCCESS Transfer of text file: SUCCESS Normal Windows FTP Connection from DAEDALUS: FAILURE Set-up CISCO 1811 Attempted to set up router: FAILURE. This believed to be in part due to either human error or an incompatibility with the CISCO 1811 and IPv6. While the IOS for the CISCO 1811 is IPv6 compatible, doubt exists as to its physical compatibility. 02OCT07 o Attempted to create DNS (Domain Name Service server) on PANDORA using Windows Server 2003, SP1. Ensure IPv6 was installed and enabled Set up network to following: IP: 10.0.1.0 Subnet Mask: 255.255.255.0 Set PANDORA to 10.0.1.2 Set DAEDALUS to 10.0.1.3 Set ICARUS to 10.0.1.4 Set Gateway to 10.0.1.1 Enabled forwarding and advertise on each computer Set up forward lookup xone: (testlab.ipv6.com) Note: do not have AD set up (incompatible according to website) Set DNS address (IPv6) to FEC0:0:0:FFFF::1%1 Set as DNS address for each client machine Test: Ping using IPv6: SUCCESS Ping using IPv4: SUCCESS Nslookup using IPv6: FAILURE Nslookup using IPv4: FAILURE 03OCT07 o Create IPv6 Testlab with fully functioning DNS; Re-installed Windows Server 2003 on PANDORA: successful Set up as standalone server Set up DNS server (installed networking services) Defined Forward Lookup Zone (testlab.ipv6.com) Set IP to 10.0.1.2/24 Installed IPv6 (netsh interface ipv6 install) Re-installed Windows XP SP2 on ICARUS: FAILURE Problem due to corrupt boot disk image – need to acquire other image DAEDALUS Uninstalled IPv6 (netsh interface ipv6 uninstall) Installed IPv6 (netsh interface ipv6 install) Set IP to 10.0.1.3/24 and DNS to 10.0.1.2 Appended NDS suffix “testlab.ipv6.com” Configured Windows Firewall to allow incoming echo request. Note: changed “Local Area Connection” name to “Network 1 Connection” on both] Conducted ping of FE80::208:74FF:FE39:9102 : successful Enabled forwarding and advertising Published route as 2001:DB8:0:1::/64 Ipconfig showed global addresses for both. Created record for DAEDALUS in PANDORA (DNS) [IPv6] using IPv6 global address “ping DAEDALUS” : successful “ping PANDORA” : successful DNS LOOKUPS CONSIDERED SUCCESSFUL 04OCT07 o Set up DNS on all computers Finished installing Windows XP PRO SPD2 on ICARUS Installed IPv6 Set IPv4 IP to 10.0.1.4/24 Appended DNS suffix to “testlab.ipv6.com” Ping DAEDALUS: successful Ping PANDORA: successful Set up DNS zone on Solaris computers: Modified /etc/nsswitch.conf It was modified for the IPv4 and IPv6 address being used in the setup. Created /etc/resolv.conf: search testlab.ipv6.com domain testlab.ipv6.com nameserver 10.0.1.2 Modified /etc/inet/netmasks Changed IPv4 address scheme to 10.0.1.0 255.255.255.0 ifconfig elxl0 10.0.1.x netmask 255.255.255.0 up [where x denotes what machine this is being configured on] Successfully pinged each computer 08OCT07 o o Modified /etc/ftpd/ftpusers to alow connection by user “root”. FTP attempts: All successful. 10OCT07 o o Pinged USMA Ping 46% successful IPv6 Address: 2001:1918:F100:1::1 Reason for previous difficulty: usma router st up to drop ICMPv4 packets (Access-Control Lists) Ping success rate not optimal Set up Web Server Set up PANDORA as an Application Server Installed ASP.NET and IIS 6.0 Created Webpage (“index.htm”) Access Webpage Successful if IPv6 IP is put in brackets: “http://[2001:DB8:0:1:208:74FF:FE39:90D2]/index.htm” Note: Needs authentication to view. Can bypass using DNS lookup names: “http://PANDORA/index.htm” Need to figure out permissions Note: IE v6.0 is NOT IPv6 compatible. Mozilla Firefox is. 15OCT07 o o o Connected USNA 3600 to 8 port switch (0/0) Deleted route 2001:DB8:0:1::/64 3600 “assigned” 2001:1918:F101::/48 o o o o o Tested ping of 2001:1918:F101:1::1 Success. Tested ping of 2001:1918:F100:1::1 Success. Tested ping of 2001:1918:F100:1::1 on DAEDALUS Success. Tracert of 2001:1918:F100:1::1 on DAEDALUS Success Assigned 2001:1918:F100:1::1 to DNS as USMA 23OCT07 o o o o o o Installed dnscmd.exe onto PANDORA Entered IPv6 ‘AAAA’ Records for all computers Attempted to setup DNS as strictly IPv6 Failed: this is most likely due to static routing issues Need to create static route for cisco 3600 Re-Setup 6over4 network for DNS Success Tested Website Success Tested nslookup (reverse zone lookups) Success 06NOV07 o o Attempted to set up NTP on the network Edited registry of PANDORA to use internal clock Attempted to connect to PANDORA as NTP server with ICARUS Failed: could not reach host. Most likely due to Windows Time Service executing as a group policy. Appendix B: Router Configuration File no ip dhcp use vrf connected usna-3660#show conf Using 2190 out of 129016 bytes version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname usna-3660 boot-start-marker boot-end-marker enable password usna no aaa new-model resource policy ip subnet-zero ip cef no ip domain lookup no ip dhcp use vrf connected ipv6 unicast-routing ipv6 host usma FEC0:1918:F100::1 ipv6 host usna-2600 FEC0:1918:F101::200 ipv6 host usma-2600 FEC0:1918:F100::2 ipv6 host usna FEC0:1918:F101::1 ipv6 cef ipv6 multicast-routing username cisco password 0 cisco interface Tunnel62 description usna-usma tunnel-type 41 no ip address ipv6 enable ipv6 ospf 27133 area 0 tunnel source FastEthernet0/1 tunnel destination 134.240.18.81 tunnel mode ipv6ip interface Tunnel63 description usna-usma tunnel-type 47 GRE no ip address ipv6 enable ipv6 ospf 27133 area 0 tunnel source FastEthernet0/1 tunnel destination 134.240.18.81 interface Loopback6 no ip address ipv6 address FEC0:1918:F101::1/128 ipv6 ospf 27133 area 0 interface FastEthernet0/0 no ip address duplex auto speed auto ipv6 address 2001:1918:F101:1::1/64 ipv6 enable ipv6 ospf 27133 area 0 interface FastEthernet0/1 ip address 131.122.204.1 255.255.255.0 duplex auto speed auto interface ATM2/0 no ip address shutdown no atm ilmi-keepalive interface Serial3/0 no ip address shutdown serial restart-delay 0 interface Serial3/1 no ip address shutdown serial restart-delay 0 interface Serial3/2 no ip address shutdown serial restart-delay 0 interface Serial3/3 no ip address shutdown serial restart-delay 0 interface FastEthernet4/0 no ip address half-duplex interface FastEthernet5/0 no ip address shutdown duplex auto speed auto interface FastEthernet5/1 no ip address shutdown duplex auto speed auto router ospf 27133 log-adjacency-changes no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 ipv6 router ospf 27133 router-id 131.122.204.1 log-adjacency-changes control-plane line con 0 login local line aux 0 line vty 0 4 login local end usna-3660# Appendix C: Lab Setup (Visual) Figure C-1 Figure C-2 References [1] “Department of Defense Internet Protocol Version 6 Generic Test Plan Version 2”, Defense Information Systems Agency, 2006; http://jitc.fhu.disa.mil/adv_ip/register/docs/ipv6_gtp_v2.pdf [2] U.S. Service Academy IPv6 Pilot Network Project, DISA Project Proposal, March, 2007. [3] P. Loshin, IPv6: Theory, Protocol, and Practice, 2nd ed., Morgan Kaufmann Publishers, 2004. [4] C. Popoviciu, E. Levy-Abegnoli, and P. Grossetete, Deploying IPv6 Networks, Cisco Press, 2006. [5] R. Hinden, Internet Protocol Version 6 (IPv6) Addressing Architecture, IETF RFC 3513, 2003; http://www.faqs.org/rfcs/rfc3513.html. [6] R. Hinden, IPv6 Global Unicast Address Format, IETF RFC 3587, 2003; http://www.faqs.org/rfcs/rfc3587.html. [7] S. Deering, IPv6 Scoped Address Architecture, IETF RFC 4007, 2005; http://www.faqs.org/rfcs/rfc4007.html. [8] T. Berners-Lee, Uniform Resource Identifiers (URI): General Syntax, IETF RFC 2396, 1998; http://www.faqs.org/rfcs/rfc2396.html. [9] IAB, IAB/IESG Recommendations on IPv6 Address Allocations to Sites, IETF RFC 3177, 2001; http://www.faqs.org/rfcs/rfc3177.html. [10] Microsoft Corporation, “Step-by-Step Guide for Setting Up IPv6 in a Test Lab”, Microsoft Corporation, 2006. [11] C.B. Landis, “IPv6 Testing”, Computer Science Department Research Project Report, Technical Report 2006-02, US Naval Academy, 2006.